US20040059917A1 - System and method for authentication and fail-safe transmission of safety messages - Google Patents

System and method for authentication and fail-safe transmission of safety messages Download PDF

Info

Publication number
US20040059917A1
US20040059917A1 US10/360,896 US36089603A US2004059917A1 US 20040059917 A1 US20040059917 A1 US 20040059917A1 US 36089603 A US36089603 A US 36089603A US 2004059917 A1 US2004059917 A1 US 2004059917A1
Authority
US
United States
Prior art keywords
safety
message
digital signature
layer
certified
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US10/360,896
Other versions
US7590848B2 (en
Inventor
Leslie Powers
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Schneider Electric Systems USA Inc
Invensys Software Systems
Original Assignee
Invensys Software Systems
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Invensys Software Systems filed Critical Invensys Software Systems
Priority to US10/360,896 priority Critical patent/US7590848B2/en
Assigned to INVENSYS SOFTWARE SYSTEMS reassignment INVENSYS SOFTWARE SYSTEMS ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: POWERS, LESLIE
Publication of US20040059917A1 publication Critical patent/US20040059917A1/en
Application granted granted Critical
Publication of US7590848B2 publication Critical patent/US7590848B2/en
Assigned to INVENSYS SYSTEMS, INC. reassignment INVENSYS SYSTEMS, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: POWERS, LESLIE V.
Assigned to SCHNEIDER ELECTRIC SYSTEMS USA, INC. reassignment SCHNEIDER ELECTRIC SYSTEMS USA, INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: INVENSYS SYSTEMS, INC.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Definitions

  • This invention relates to the general field of safety busses and distributed safety systems and, in particular, to a system and method for fail-safe communication of safety messages among field devices.
  • sensing devices will typically periodically issue safety messages to an associated actuator regarding the states of various sensors. Appropriate response to such safety messages is necessary to ensure optimal and safe operation. For example, in the event a safety message indicates a condition has arisen which may lead to catastrophic failure and unsafe operation unless corrected, it is necessary that the appropriate corrective action (e.g., valve shutoff) actually be taken.
  • a safety message indicates a condition has arisen which may lead to catastrophic failure and unsafe operation unless corrected
  • the appropriate corrective action e.g., valve shutoff
  • bus integrity methods may be used in an attempt to ensure better or more reliable communication of the safety information over the applicable data bus.
  • These methods have included various error checking and coding schemes for detecting and correcting data errors arising within the data communicated via the data bus.
  • a safety message may contain a check sum or cyclic redundancy code (CRC) to detect bit errors.
  • CRC cyclic redundancy code
  • particular bus systems such as the Process Field Bus (“PROFIBUS’) communication protocol and system, may employ various error coding methods in order to identify erroneous data, such systems are generally unsuitable for applications involving safety messages.
  • the present invention pertains to a system and method for transmitting safety messages by way of communication channels containing non-safety-certified equipment. Consistent with the disclosed method, digital signatures and/or encryption may be used to authenticate both the origin and content of the transmitted safety messages. In particular, the present invention leverages digital signature technology and “watchdog” timers to ensure that safety messages are fail-safe, even when transmitted through non-safety-certified equipment.
  • the present invention relates to a method for fail-safe transmission of safety messages in a network environment.
  • the method includes generating a safety message that indicates the state of a sensor.
  • a digital signature is then generated to sign this safety message.
  • the method further includes communicating the safety message and the digital signature between network nodes.
  • the safety message may be authenticated using the digital signature and watchdog timers.
  • the present invention is directed to a system in which a sending field device creates a safety message, “signs” the message with a digital signature, and sends the message to another field device via a communications network.
  • the receiving field device “verifies” the digital signature to authenticate both the origin and the content of the safety message.
  • the receiving field device uses a watchdog timer to verify periodic reception of the safety messages. Creation, signing, and verification of the safety message are effected in safety-certified layers within the transmitting field device, even though the intervening communications network may consist of non-safety-certified commercial off the shelf (C.O.T.S.) elements.
  • This implementation may be exemplified by considering the case in which the transmitting field device comprises an intelligent pressure transducer and the receiving field device comprises an intelligent safety shutoff valve. In this case it is desired to shut off the valve if the monitored pressure exceeds some predefined limit. A safety application in the intelligent pressure transducer periodically sends a safety message indicating that the pressure is still within an acceptable range. A corresponding safety application in the intelligent shutoff valve expects to receive safety messages periodically. If the safety application associated with the valve does not receive a valid message within a predetermined timeout period maintained by a “watchdog timer”, then the valve shuts off. In accordance with the invention, the reliability of this process is enhanced through use of safety-certified elements within the pressure transducer and valve, even though the intervening communications network need not and generally will not be safety-certified.
  • FIG. 1 is a block diagram of an exemplary industrial system in which a distributed safety system in accordance with the invention is implemented.
  • FIG. 2 depicts an intelligent sensor configured to send safety messages through a communications network to an intelligent actuator.
  • FIG. 3 is a block diagram representative of the operations performed during signature generation and signature verification in accordance with the invention.
  • FIG. 1 is a block diagram of an exemplary industrial system 100 in which a distributed safety system in accordance with the invention is implemented.
  • the system 100 includes a plurality of intelligent sensors 120 in communication with a set of intelligent actuators 130 via a communications network 110 .
  • each of the intelligent actuators 130 receives data in the form of “safety messages” from one or more of the intelligent sensors 120 .
  • the applicable intelligent actuator 130 then responds by performing an appropriate action (e.g., opening/closing a valve or switch).
  • a “safety layer” within an intelligent sensor 120 creates a safety message, “signs” the safety message to create a digital signature, and sends the message and digital signature to an intelligent actuator 130 via the communications network 110 .
  • a corresponding safety layer within the intelligent actuator 130 “verifies” the digital signature to authenticate both the origin and the content of the safety message.
  • the safety layer uses a watchdog timer to verify periodic reception of the safety messages.
  • creation, signing, and verification of the safety message is performed in safety-certified layers of the applicable intelligent sensor 120 and intelligent actuator 130 , even though the communications network 110 may consist of non-safety-certified commercial off the shelf (C.O.T.S.) elements.
  • C.O.T.S. commercial off the shelf
  • the intelligent sensor 120 comprises an intelligent pressure transducer and the intelligent actuator 130 comprises an intelligent safety shutoff valve in the distributed safety system of FIG. 1.
  • the intelligent pressure transducer In this case it is desired to shut off the valve if the monitored pressure exceeds some predefined limit.
  • a safety application in the intelligent pressure transducer periodically sends a safety message indicating that the pressure is still within an acceptable range.
  • a corresponding safety application in the intelligent shutoff valve expects to receive safety messages periodically. If the safety application associated with the valve does not receive a valid message within a predetermined timeout period, then the valve shuts off.
  • the reliability of this process is enhanced through use of safety-certified elements within the pressure transducer and valve, even though the intervening communications network need not and generally will not be safety-certified.
  • the intelligent sensor 200 includes a safety application 203 a and safety layer 204 a which collectively create “safety messages” indicative of the current state of the sensor 200 .
  • Each such safety message is sent by the intelligent sensor 200 through a communications network 201 to the intelligent actuator 202 .
  • the safety layer 204 a generates a digital signature 206 for the safety message or a message digest derived therefrom.
  • the corresponding safety layer 204 b of the actuator 202 “verifies” 207 the digital signature to authenticate both the origin and the content of the safety message.
  • the safety layer 204 b will also contain a watchdog timer 210 enabling verification that valid safety messages are periodically received.
  • Each safety layer 204 generally implements one of a variety of encryption algorithms (described below), which are preferably stored in a non-volatile manner and permanently write-protected to discourage tampering.
  • the intelligent sensor 200 could be implemented using, for example, an intelligent pressure, temperature or flow transducer, and the intelligent actuator 202 could be realized as a safety shutoff valve or switch.
  • Intelligent field devices of this type may be realized using, for example, various I/A Series® devices available from the Invensys Foxboro unit of Invensys plc, as modified consistent with the teachings herein.
  • the communications network 201 could be realized as an Ethernet network or as a F OUNDATION Fieldbus network available from Invensys Foxboro.
  • the F OUNDATION Fieldbus is an all digital, serial, two-way communication system which interconnects field devices, such as transmitters, actuators, and controllers. It functions as a Local Area Network (LAN) with built-in capability to distribute control application across the network.
  • LAN Local Area Network
  • the network node generating the safety message i.e., the “source node” and the network node receiving the safety message (i.e., the “destination node”) may be comprised of electronic devices (e.g., controllers, routers, workstations) lacking sensors or actuators.
  • the source node could include a switch or the like configured with appropriate transmission capabilities.
  • the destination node could comprise a controller or workstation outfitted with a conventional network interface.
  • safety messages may be transmitted from a source node through a communications network to a controller, and then forwarded from the controller to another network node.
  • the intelligent sensor 200 further includes a plurality of communication layers 205 a .
  • the safety application 203 a , safety layer 204 a and communication layers 205 a may each be implemented in hardware, firmware, software, or some combination thereof.
  • the intelligent actuator 202 similarly includes a plurality of communication layers 205 b in addition to the safety application 203 b and safety layer 204 b . Each of the layers within the actuator 202 may also be implemented in hardware, firmware, software, or some combination thereof.
  • the various functional elements of the intelligent sensor 200 are bifurcated into a safety-certified portion 208 a and a non-safety-certified portion 209 a .
  • the safety-certified portion 208 a includes a safety application 203 a and safety layer 204 a
  • the non-safety-certified portion 209 a includes the communication layer 205 a
  • the intelligent actuator 202 is bifurcated into a safety-certified portion 208 b and a non-safety-certified portion 209 b .
  • the safety-certified portion 208 b includes a safety application 203 b and safety layer 204 b
  • the non-safety-certified portion 209 b includes the communication layer 205 b.
  • the term “safety-certified” indicates that the applicable layer or component has been certified by an authorized organization as being compliant with one or more pertinent international or industry standards.
  • IEC International Electrotechnical Commission
  • Geneva, Switzerland has promulgated the IEC 61508 in support of the use of Safety Instrumented Systems (SISs) as a means of protecting against hazardous events.
  • SISs are composed of sensors, logic solvers, and final control elements assembled for the purpose of transitioning a process to a “safe” or otherwise stable state when predetermined conditions are violated.
  • Other terms commonly used to describe SISs include emergency shutdown systems, safety shutdown systems, and safety interlock systems.
  • the safety application 203 a monitors its state and periodically produces a corresponding safety message.
  • the safety layer 204 a then adds various safety measures to the safety message.
  • safety measures include a message sequence number, time stamp or the equivalent in order to ensure that successive safety message are distinguishable. This prevents a potentially malicious third party (e.g., a “hacker”) from simply copying one of the safety messages and sending the copy periodically. Additional measures may include, for example, source, destination, and CRC information.
  • the safety layer 204 a then “signs” 206 the safety message, or a message digest derived therefrom, in order to create an associated digital signature.
  • the communications network 201 transports each safety message and associated digital signature generated by the intelligent sensor 200 to the intelligent actuator 202 .
  • the communications network 201 may be comprised of commercial-off-the-shelf (C.O.T.S.) equipment that is not safety-certified.
  • the communications network 201 interfaces with communication layers 205 a and 205 b of the intelligent sensor 200 and intelligent actuator 202 , respectively, which are also not safety certified (i.e., are included within the non-safety-certified layers 209 a and 209 b of the intelligent sensor 200 and intelligent actuator 202 , respectively).
  • the safety layer 204 b Upon receipt at the intelligent actuator 202 of a safety message and associated digital signature produced by the intelligent sensor 200 , the safety layer 204 b verifies 207 the received digital signature to authenticate both the origin and the content of the safety message. In addition, the safety layer 204 b verifies the safety measures, which may include sequence number, time stamp, source, destination, and CRC. The safety layer 204 b will also contain one or more watchdog timers 210 facilitating detection of the loss of periodic receipt of safety messages. In the exemplary embodiment the safety application 203 b of the intelligent actuator 202 monitors the received safety messages and performs some safety action (e.g., changes the ON/OFF state of a valve) if the safety messages indicate an unsafe condition. The safety application 203 b is also configured to undertake some prescribed action if the safety application 203 b does not receive a valid safety message within the required timeout period.
  • some safety action e.g., changes the ON/OFF state of a valve
  • signature generation 206 involves generating a digital signature by applying a private key of a private/public key pair associated with the intelligent sensor 200 to a condensed version of a safety message (i.e., a message digest).
  • a safety message i.e., a message digest
  • the private key is preferably kept in confidence and securely stored within the safety layer 204 a .
  • the resulting digital signature and the safety message are then transmitted to the intelligent actuator 202 via the non-certified communications network 201 .
  • a recovered message digest is computed using the safety message received via the communications network 201 .
  • the signature verification module 207 uses this recovered message digest and a public key of the intelligent sensor 200 to generate another digital signature for comparison with the digital signature originally created by the intelligent sensor 200 . If these digital signatures are the same, the safety message received at the intelligent actuator 202 is presumed valid and may be processed accordingly; if not, the received safety message is deemed invalid or corrupted and discarded.
  • FIG. 3 is a block diagram representative of the operations performed during signature generation 206 and signature verification 207 .
  • signature generation 206 and signature verification 207 is conducted in accordance with the Digital Signature Algorithm (DSA) to generate and verify digital signatures based upon safety messages, respectively.
  • DSA Digital Signature Algorithm
  • DSS Digital Signature Standard
  • FIPS Federal Information & Processing Standard Publication
  • DSS Digital Signature Standard
  • FIPS Federal Information & Processing Standard Publication
  • Other cryptographic algorithms of potential utility in connection with the present invention are DES (Data Encryption Standard) and RSA.
  • DES Data Encryption Standard
  • RSA is a public key algorithm that can be used for both encryption and digital signatures.
  • the safety layer 204 a of the sensor 200 generates and provides a safety message 302 a to a secure hash algorithm (SHA) 303 a .
  • the SHA 303 a condenses the safety message 302 a to a condensed version termed a message digest 304 a .
  • This hash algorithm may comprise the Secure Hash Algorithm (SHA-1) as specified in the Secure Hash Standard (SHS), FIPS PUB 180-1, National Institute of Standards & Technology, 1995, which is consistent with the Digital Signature Standard.
  • SHA-1 Secure Hash Algorithm
  • SHS Secure Hash Standard
  • FIPS PUB 180-1 National Institute of Standards & Technology, 1995
  • a digital signature 307 is then generated on the basis of the private key 305 of the sensor 200 and the message digest 304 through execution of a DSA Sign Operation 306 .
  • the digital signature 307 a and safety message 302 a are then transmitted to the intelligent actuator 202 via the communications network 201 .
  • FIG. 3 also illustratively represents the operations performed during signature verification 207 in the actuator 202 .
  • This verification 207 involves verifying the digital signature generated during the signature generation 206 occurring within the intelligent sensor 200 .
  • a secure hash algorithm 303 b condenses the received message 302 b to a recovered message digest 304 b .
  • a DSA verify operation 308 then verifies the digital signature 307 b given the message digest 304 b and the public key 309 associated with the intelligent sensor 200 .
  • the result 320 of the DSA verify operation 308 is either “signature verified” or “signature verification failed”, thereby indicating whether or not the received message 302 b has been authenticated by virtue of its digital signature 307 b.
  • the present invention may be applied to the case in which the intelligent sensor 200 comprises a manual shutdown switch and the intelligent actuator 202 comprises an associated valve.
  • the switch has two positions, RUN and SHUTDOWN. If the position of the switch is SHUTDOWN and the valve does not close, then potentially dangerous consequences may ensue.
  • the shutdown switch periodically sends an “encrypted watchdog” message (i.e., an encrypted safety message) to the valve, indicating that the switch is in the RUN position.
  • the valve expects to periodically receive the encrypted watchdog message, and closes if the message is not received.
  • the message is changed each time it is transmitted, perhaps by including a sequence number or a time stamp. Encryption of the watchdog message may be effected by, for example, using one of the encryption algorithms described above.
  • digital signatures may be used to authenticate both the origin and content of the transmitted safety messages.
  • data encryption may be employed instead of digital signatures in connection with message authentication.
  • data encryption may be used in addition to digital signatures in order to effect such authentication.

Abstract

A system and method for fail-safe transmission of safety messages through communication channels containing non-safety-certified equipment is disclosed herein. Consistent with the disclosed method, digital signatures and/or encryption are used to authenticate both the origin and content of the safety messages. A watchdog timer ensures transition to a safe state if authenticated messages are not received periodically. In a particular implementation, the disclosed method includes generating a safety message indicating the state of a sensor. A digital signature is then generated to sign this safety message. The method further includes communicating the safety message and the digital signature to an actuator. Upon receipt, the safety message is authenticated using the digital signature. A watchdog timer ensures transition to a safe state if authenticated messages are not received periodically.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application claims priority under 35 U.S.C. §119(e) to U.S. Provisional Application No. 60/355,282, entitled SYSTEM AND METHOD FOR AUTHENTICATION AND SECURE TRANSMISSION OF SAFETY MESSAGES, which is incorporated by reference herein in its entirety.[0001]
  • FIELD OF THE INVENTION
  • This invention relates to the general field of safety busses and distributed safety systems and, in particular, to a system and method for fail-safe communication of safety messages among field devices. [0002]
  • BACKGROUND OF THE INVENTION
  • Within distributed safety systems, sensing devices will typically periodically issue safety messages to an associated actuator regarding the states of various sensors. Appropriate response to such safety messages is necessary to ensure optimal and safe operation. For example, in the event a safety message indicates a condition has arisen which may lead to catastrophic failure and unsafe operation unless corrected, it is necessary that the appropriate corrective action (e.g., valve shutoff) actually be taken. [0003]
  • In these distributed safety systems, certain bus integrity methods may be used in an attempt to ensure better or more reliable communication of the safety information over the applicable data bus. These methods have included various error checking and coding schemes for detecting and correcting data errors arising within the data communicated via the data bus. For example, a safety message may contain a check sum or cyclic redundancy code (CRC) to detect bit errors. In addition, while particular bus systems, such as the Process Field Bus (“PROFIBUS’) communication protocol and system, may employ various error coding methods in order to identify erroneous data, such systems are generally unsuitable for applications involving safety messages. [0004]
  • Moreover, the increasing automation of network-based industrial processes and control systems has rendered such systems vulnerable to attack by computer “hackers”, i.e., those individuals engaging in malicious code breaking. For example, it is conceivable that hackers may attempt to disrupt process operation by falsely emulating or interfering with the various safety messages transmitted among a distributed arrangement of sensors and actuators. In extreme circumstances, such interference could result in unsafe process operation and potentially dire attendant consequences. [0005]
  • SUMMARY OF THE INVENTION
  • In summary, the present invention pertains to a system and method for transmitting safety messages by way of communication channels containing non-safety-certified equipment. Consistent with the disclosed method, digital signatures and/or encryption may be used to authenticate both the origin and content of the transmitted safety messages. In particular, the present invention leverages digital signature technology and “watchdog” timers to ensure that safety messages are fail-safe, even when transmitted through non-safety-certified equipment. [0006]
  • The present invention relates to a method for fail-safe transmission of safety messages in a network environment. The method includes generating a safety message that indicates the state of a sensor. A digital signature is then generated to sign this safety message. The method further includes communicating the safety message and the digital signature between network nodes. Upon receipt, the safety message may be authenticated using the digital signature and watchdog timers. [0007]
  • In a particular implementation the present invention is directed to a system in which a sending field device creates a safety message, “signs” the message with a digital signature, and sends the message to another field device via a communications network. The receiving field device “verifies” the digital signature to authenticate both the origin and the content of the safety message. In addition, the receiving field device uses a watchdog timer to verify periodic reception of the safety messages. Creation, signing, and verification of the safety message are effected in safety-certified layers within the transmitting field device, even though the intervening communications network may consist of non-safety-certified commercial off the shelf (C.O.T.S.) elements. [0008]
  • This implementation may be exemplified by considering the case in which the transmitting field device comprises an intelligent pressure transducer and the receiving field device comprises an intelligent safety shutoff valve. In this case it is desired to shut off the valve if the monitored pressure exceeds some predefined limit. A safety application in the intelligent pressure transducer periodically sends a safety message indicating that the pressure is still within an acceptable range. A corresponding safety application in the intelligent shutoff valve expects to receive safety messages periodically. If the safety application associated with the valve does not receive a valid message within a predetermined timeout period maintained by a “watchdog timer”, then the valve shuts off. In accordance with the invention, the reliability of this process is enhanced through use of safety-certified elements within the pressure transducer and valve, even though the intervening communications network need not and generally will not be safety-certified.[0009]
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • For a better understanding of the nature of the features of the invention, reference should be made to the following detailed description taken in conjunction with the accompanying drawings, in which: [0010]
  • FIG. 1 is a block diagram of an exemplary industrial system in which a distributed safety system in accordance with the invention is implemented. [0011]
  • FIG. 2 depicts an intelligent sensor configured to send safety messages through a communications network to an intelligent actuator. [0012]
  • FIG. 3 is a block diagram representative of the operations performed during signature generation and signature verification in accordance with the invention. [0013]
  • DETAILED DESCRIPTION OF THE INVENTION
  • FIG. 1 is a block diagram of an exemplary [0014] industrial system 100 in which a distributed safety system in accordance with the invention is implemented. The system 100 includes a plurality of intelligent sensors 120 in communication with a set of intelligent actuators 130 via a communications network 110. In operation, each of the intelligent actuators 130 receives data in the form of “safety messages” from one or more of the intelligent sensors 120. The applicable intelligent actuator 130 then responds by performing an appropriate action (e.g., opening/closing a valve or switch).
  • As is described below, the present invention contemplates using digital signatures and/or encryption, in conjunction with watchdog timers, to enhance the security and reliability of distributed safety systems. In accordance with this embodiment, a “safety layer” within an [0015] intelligent sensor 120 creates a safety message, “signs” the safety message to create a digital signature, and sends the message and digital signature to an intelligent actuator 130 via the communications network 110. A corresponding safety layer within the intelligent actuator 130 “verifies” the digital signature to authenticate both the origin and the content of the safety message. In addition, the safety layer uses a watchdog timer to verify periodic reception of the safety messages. Advantageously, creation, signing, and verification of the safety message is performed in safety-certified layers of the applicable intelligent sensor 120 and intelligent actuator 130, even though the communications network 110 may consist of non-safety-certified commercial off the shelf (C.O.T.S.) elements.
  • As an example, consider an embodiment in which the [0016] intelligent sensor 120 comprises an intelligent pressure transducer and the intelligent actuator 130 comprises an intelligent safety shutoff valve in the distributed safety system of FIG. 1. In this case it is desired to shut off the valve if the monitored pressure exceeds some predefined limit. A safety application in the intelligent pressure transducer periodically sends a safety message indicating that the pressure is still within an acceptable range. In this embodiment a corresponding safety application in the intelligent shutoff valve expects to receive safety messages periodically. If the safety application associated with the valve does not receive a valid message within a predetermined timeout period, then the valve shuts off. In accordance with the invention, the reliability of this process is enhanced through use of safety-certified elements within the pressure transducer and valve, even though the intervening communications network need not and generally will not be safety-certified.
  • Turning now to FIG. 2, there is shown a block diagrammatic representation of an exemplary implementation of an [0017] intelligent sensor 200 and an intelligent actuator 202 in accordance with the present invention. In the embodiment of FIG. 2, the intelligent sensor 200 includes a safety application 203 a and safety layer 204 a which collectively create “safety messages” indicative of the current state of the sensor 200. Each such safety message is sent by the intelligent sensor 200 through a communications network 201 to the intelligent actuator 202. In accordance with the invention, the safety layer 204 a generates a digital signature 206 for the safety message or a message digest derived therefrom. The corresponding safety layer 204 b of the actuator 202 “verifies” 207 the digital signature to authenticate both the origin and the content of the safety message. The safety layer 204 b will also contain a watchdog timer 210 enabling verification that valid safety messages are periodically received. Each safety layer 204 generally implements one of a variety of encryption algorithms (described below), which are preferably stored in a non-volatile manner and permanently write-protected to discourage tampering.
  • In a particular embodiment, the [0018] intelligent sensor 200 could be implemented using, for example, an intelligent pressure, temperature or flow transducer, and the intelligent actuator 202 could be realized as a safety shutoff valve or switch. Intelligent field devices of this type may be realized using, for example, various I/A Series® devices available from the Invensys Foxboro unit of Invensys plc, as modified consistent with the teachings herein. The communications network 201 could be realized as an Ethernet network or as a FOUNDATION Fieldbus network available from Invensys Foxboro. The FOUNDATION Fieldbus is an all digital, serial, two-way communication system which interconnects field devices, such as transmitters, actuators, and controllers. It functions as a Local Area Network (LAN) with built-in capability to distribute control application across the network.
  • Although the embodiment of FIG. 1 is specific to the context of intelligent sensors and actuators in order to facilitate explanation of the principles of the invention, in other embodiments the network node generating the safety message (i.e., the “source node”) and the network node receiving the safety message (i.e., the “destination node”) may be comprised of electronic devices (e.g., controllers, routers, workstations) lacking sensors or actuators. For example, in certain industrial or transportation applications the source node could include a switch or the like configured with appropriate transmission capabilities. Similarly, the destination node could comprise a controller or workstation outfitted with a conventional network interface. In addition, in certain embodiments safety messages may be transmitted from a source node through a communications network to a controller, and then forwarded from the controller to another network node. As may be appreciated by those skilled in the art, each of these embodiments is within the spirit and scope of the present invention described herein. [0019]
  • As shown in FIG. 2, in addition to the [0020] safety application 203 a and the safety layer 204 a, the intelligent sensor 200 further includes a plurality of communication layers 205 a. The safety application 203 a, safety layer 204 a and communication layers 205 a may each be implemented in hardware, firmware, software, or some combination thereof. The intelligent actuator 202 similarly includes a plurality of communication layers 205 b in addition to the safety application 203 b and safety layer 204 b. Each of the layers within the actuator 202 may also be implemented in hardware, firmware, software, or some combination thereof.
  • As is indicated by FIG. 2, the various functional elements of the [0021] intelligent sensor 200 are bifurcated into a safety-certified portion 208 a and a non-safety-certified portion 209 a. In this regard the safety-certified portion 208 a includes a safety application 203 a and safety layer 204 a, while the non-safety-certified portion 209 a includes the communication layer 205 a. Similarly, the intelligent actuator 202 is bifurcated into a safety-certified portion 208 b and a non-safety-certified portion 209 b. As shown, the safety-certified portion 208 b includes a safety application 203 b and safety layer 204 b, while the non-safety-certified portion 209 b includes the communication layer 205 b.
  • As used herein, the term “safety-certified” indicates that the applicable layer or component has been certified by an authorized organization as being compliant with one or more pertinent international or industry standards. For example, the International Electrotechnical Commission (IEC, Geneva, Switzerland) has promulgated the IEC 61508 in support of the use of Safety Instrumented Systems (SISs) as a means of protecting against hazardous events. SISs are composed of sensors, logic solvers, and final control elements assembled for the purpose of transitioning a process to a “safe” or otherwise stable state when predetermined conditions are violated. Other terms commonly used to describe SISs include emergency shutdown systems, safety shutdown systems, and safety interlock systems. Various commercial organizations provide “safety-certified” certification marks and certificates evidencing compliance with applicable international standards, such as IEC 61508. As is discussed below, it is a feature of the present invention that the neither the elements of the communication layers [0022] 205 a, 205 b, nor of the communication network 201, are required to be safety-certified in order to ensure the authenticity of the safety messages produced by the intelligent sensor 200 and received by the intelligent actuator 202.
  • During operation of the [0023] intelligent sensor 200, the safety application 203 a monitors its state and periodically produces a corresponding safety message. The safety layer 204 a then adds various safety measures to the safety message. Such safety measures include a message sequence number, time stamp or the equivalent in order to ensure that successive safety message are distinguishable. This prevents a potentially malicious third party (e.g., a “hacker”) from simply copying one of the safety messages and sending the copy periodically. Additional measures may include, for example, source, destination, and CRC information. As indicated above, the safety layer 204 a then “signs” 206 the safety message, or a message digest derived therefrom, in order to create an associated digital signature.
  • The [0024] communications network 201 transports each safety message and associated digital signature generated by the intelligent sensor 200 to the intelligent actuator 202. In the exemplary embodiment the communications network 201 may be comprised of commercial-off-the-shelf (C.O.T.S.) equipment that is not safety-certified. As shown, the communications network 201 interfaces with communication layers 205 a and 205 b of the intelligent sensor 200 and intelligent actuator 202, respectively, which are also not safety certified (i.e., are included within the non-safety-certified layers 209 a and 209 b of the intelligent sensor 200 and intelligent actuator 202, respectively).
  • Upon receipt at the [0025] intelligent actuator 202 of a safety message and associated digital signature produced by the intelligent sensor 200, the safety layer 204 b verifies 207 the received digital signature to authenticate both the origin and the content of the safety message. In addition, the safety layer 204 b verifies the safety measures, which may include sequence number, time stamp, source, destination, and CRC. The safety layer 204 b will also contain one or more watchdog timers 210 facilitating detection of the loss of periodic receipt of safety messages. In the exemplary embodiment the safety application 203 b of the intelligent actuator 202 monitors the received safety messages and performs some safety action (e.g., changes the ON/OFF state of a valve) if the safety messages indicate an unsafe condition. The safety application 203 b is also configured to undertake some prescribed action if the safety application 203 b does not receive a valid safety message within the required timeout period.
  • As is discussed below, [0026] signature generation 206 involves generating a digital signature by applying a private key of a private/public key pair associated with the intelligent sensor 200 to a condensed version of a safety message (i.e., a message digest). In order to preserve security, the private key is preferably kept in confidence and securely stored within the safety layer 204 a. The resulting digital signature and the safety message are then transmitted to the intelligent actuator 202 via the non-certified communications network 201. Within the intelligent actuator 202, a recovered message digest is computed using the safety message received via the communications network 201. Using this recovered message digest and a public key of the intelligent sensor 200, the signature verification module 207 generates another digital signature for comparison with the digital signature originally created by the intelligent sensor 200. If these digital signatures are the same, the safety message received at the intelligent actuator 202 is presumed valid and may be processed accordingly; if not, the received safety message is deemed invalid or corrupted and discarded.
  • SIGNATURE GENERATION AND VERIFICATION
  • FIG. 3 is a block diagram representative of the operations performed during [0027] signature generation 206 and signature verification 207. In the exemplary embodiment of FIG. 3, signature generation 206 and signature verification 207 is conducted in accordance with the Digital Signature Algorithm (DSA) to generate and verify digital signatures based upon safety messages, respectively. In this regard the Digital Signature Standard (DSS), Federal Information & Processing Standard Publication (FIPS) PUB 186, specifies the Digital Signature Algorithm, which comprises a known public key algorithm used for digital signatures. Other cryptographic algorithms of potential utility in connection with the present invention are DES (Data Encryption Standard) and RSA. DES is a symmetric algorithm with a fixed key length, while RSA is a public key algorithm that can be used for both encryption and digital signatures.
  • Turning now to FIG. 3, the [0028] safety layer 204 a of the sensor 200 generates and provides a safety message 302 a to a secure hash algorithm (SHA) 303 a. The SHA 303 a condenses the safety message 302 a to a condensed version termed a message digest 304 a. This hash algorithm may comprise the Secure Hash Algorithm (SHA-1) as specified in the Secure Hash Standard (SHS), FIPS PUB 180-1, National Institute of Standards & Technology, 1995, which is consistent with the Digital Signature Standard. As shown, a digital signature 307 is then generated on the basis of the private key 305 of the sensor 200 and the message digest 304 through execution of a DSA Sign Operation 306. The digital signature 307 a and safety message 302 a are then transmitted to the intelligent actuator 202 via the communications network 201.
  • As mentioned above, FIG. 3 also illustratively represents the operations performed during [0029] signature verification 207 in the actuator 202. This verification 207 involves verifying the digital signature generated during the signature generation 206 occurring within the intelligent sensor 200. A secure hash algorithm 303 b condenses the received message 302 b to a recovered message digest 304 b. A DSA verify operation 308 then verifies the digital signature 307 b given the message digest 304 b and the public key 309 associated with the intelligent sensor 200. The result 320 of the DSA verify operation 308 is either “signature verified” or “signature verification failed”, thereby indicating whether or not the received message 302 b has been authenticated by virtue of its digital signature 307 b.
  • SIMPLIFIED EXEMPLARY REPRESENTATION
  • In a particular exemplary embodiment, the present invention may be applied to the case in which the [0030] intelligent sensor 200 comprises a manual shutdown switch and the intelligent actuator 202 comprises an associated valve. In this embodiment the switch has two positions, RUN and SHUTDOWN. If the position of the switch is SHUTDOWN and the valve does not close, then potentially dangerous consequences may ensue.
  • During normal operation, the shutdown switch periodically sends an “encrypted watchdog” message (i.e., an encrypted safety message) to the valve, indicating that the switch is in the RUN position. The valve expects to periodically receive the encrypted watchdog message, and closes if the message is not received. The message is changed each time it is transmitted, perhaps by including a sequence number or a time stamp. Encryption of the watchdog message may be effected by, for example, using one of the encryption algorithms described above. [0031]
  • There are a variety of potential ways to maintain the private key used in encrypting the watchdog message in secrecy. One extreme approach might be to set private key for the switch at the time of its manufacture, and not allow (by quality control) the private key to be communicated from the applicable manufacturing facility. The valve is configured with the corresponding public key, which need not be kept in secrecy. [0032]
  • Of course, in alternative embodiments of the present invention more complicated logic may be employed to determine an appropriate course of action to be taken on the basis of encrypted watchdog messages generated consistent with the invention. For example, configurations could be provided in which the encrypted messages received from any of several sensors could cause closure of a valve, or in which messages from m out of n sensors could lead to closure of such a valve. Moreover, the safety messages generated by each intelligent sensor may be encrypted prior to transmission to an intelligent actuator. The encrypted safety messages received at each actuator would then be decrypted prior to being processed in the manner described above, thereby further discouraging tampering with or “hacking” of the transmitted safety messages. [0033]
  • Accordingly, a method has been described herein for transmitting safety messages by way of communication channels comprised of non-safety-certified equipment. Consistent with the disclosed method, digital signatures may be used to authenticate both the origin and content of the transmitted safety messages. In other embodiments data encryption may be employed instead of digital signatures in connection with message authentication. In yet other embodiments data encryption may be used in addition to digital signatures in order to effect such authentication. [0034]
  • The foregoing description, for purposes of explanation, used specific nomenclature to provide a thorough understanding of the invention. However, it will be apparent to one skilled in the art that the specific details are not required in order to practice the invention. In other instances, well-known circuits and devices are shown in block diagram form in order to avoid unnecessary distraction from the underlying invention. Thus, the foregoing descriptions of specific embodiments of the present invention are presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the invention to the precise forms disclosed, obviously many modifications and variations are possible in view of the above teachings. The embodiments were chosen and described in order to best explain the principles of the invention and its practical applications, to thereby enable others skilled in the art to best utilize the invention and various embodiments with various modifications as are suited to the particular use contemplated. It is intended that the following claims and their equivalents define the scope of the invention. [0035]

Claims (18)

What is claimed is:
1. A safety message generation apparatus comprising:
a sensor disposed to generate state information; and
a safety layer for creating a safety message using said state information and for generating a digital signature based upon said safety message, said digital signature enabling authentication of said safety message subsequent to transmission through a communications network.
2. The safety message generation apparatus of claim 1 wherein said safety layer generates said digital signature by signing said safety message using a private key associated with said sensor, said digital signature being verifiable using a public key.
3. The safety message generation apparatus of claim 1 wherein said safety layer creates a message digest based upon said state information, said message digest being signed using a private key in order to generate said digital signature.
4. The safety message generation apparatus of claim 1 further including a safety application operative to monitor a state of said sensor and to generate said state information accordingly.
5. The safety message generation apparatus of claim 1 wherein said safety layer adds sequence number information to said state information in connection with creating said safety message.
6. The safety message generation apparatus of claim 1 wherein said safety layer adds time stamp information to said state information in connection with creating said safety message.
7. A method for fail-safe transmission of safety messages in a network environment said method comprising:
generating a safety message at a source node;
creating a digital signature based upon said safety message; and
communicating said safety message and said digital signature to a destination node, said digital signature enabling authentication of said safety message as received.
8. The method of claim 7, wherein said creating a digital signature includes:
generating a message digest by condensing said safety message using a hash function; and
signing said message digest using a private key.
9. The method of claim 8, wherein:
said source node generates an authenticating message digest using said hash function and said safety message; and
said destination node verifies said digital signature using said authenticating message digest and a public key corresponding to said private key.
10. The method of claim 9 wherein said destination node transitions to a safe state if said safety messages are not received on a periodic basis.
11. The method of claim 7 wherein said safety message includes a sequence number or time stamp.
12. The method of claim 7 further including:
receiving additional state information indicative of a subsequent state of said sensor;
generating an additional safety message using said additional state information, said additional safety message containing a sequence number or time stamp;
creating an additional digital signature based upon said additional safety message; and
communicating said additional safety message and additional digital signature to said destination node.
13. A system for fail-safe transmission of safety messages in a network environment including a communications network, said system comprising:
an intelligent sensor apparatus including a sensor and:
a first safety-certified application,
a first safety-certified layer,
a first non-safety-certified layer wherein said first safety-certified layer is operative to generate a safety message and associated digital signature based upon state information received from said sensor;
means for transmitting said safety message and said associated digital signature over said communications network; and
an intelligent actuator apparatus communicatively coupled to said intelligent sensor via said communications network, said intelligent actuator including
an actuator, and
a second safety-certified application, a second safety-certified layer and a second non-safety-certified layer wherein said second safety-certified layer is operative to use said digital signature in order to verify authenticity of said safety message communicated over said network and thereby enable said actuator to perform an action in accordance with said state information.
14. A method for fail-safe transmission of safety messages from a sensor to an actuator entity, said method comprising the steps of:
generating a safety message representative of a status of said sensor;
creating a message digest based upon said safety message;
generating a digital signature using said message digest; and
communicating said digital signature and said safety message to said actuator entity, said digital signature enabling authentication of said safety message as received at said actuator entity.
15. The method of claim 14 wherein said digital signature is generated by signing said message digest using a private key associated with said sensor, said digital signature being verifiable using a public key.
16. The apparatus of claim 1 wherein said sensor includes a safety-certified layer incorporating said safety layer and a non-safety-certified layer.
17. The method of claim 7 wherein said source node includes a safety-certified layer disposed to generate said safety message and a non-safety-certified layer.
18. The method of claim 17 or claim 1 wherein said destination node includes a safety-certified layer and a non-safety-certified layer.
US10/360,896 2002-02-07 2003-02-07 System and method for authentication and fail-safe transmission of safety messages Active 2026-06-13 US7590848B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10/360,896 US7590848B2 (en) 2002-02-07 2003-02-07 System and method for authentication and fail-safe transmission of safety messages

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US35528202P 2002-02-07 2002-02-07
US10/360,896 US7590848B2 (en) 2002-02-07 2003-02-07 System and method for authentication and fail-safe transmission of safety messages

Publications (2)

Publication Number Publication Date
US20040059917A1 true US20040059917A1 (en) 2004-03-25
US7590848B2 US7590848B2 (en) 2009-09-15

Family

ID=27734496

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/360,896 Active 2026-06-13 US7590848B2 (en) 2002-02-07 2003-02-07 System and method for authentication and fail-safe transmission of safety messages

Country Status (4)

Country Link
US (1) US7590848B2 (en)
EP (1) EP1479007B1 (en)
AU (1) AU2003209056A1 (en)
WO (1) WO2003067452A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040158713A1 (en) * 2003-01-28 2004-08-12 Tom Aneweer Process control system with an embedded safety system
US20040193888A1 (en) * 2003-03-31 2004-09-30 Wiseman Willard M. Platform information for digital signatures
US20060179483A1 (en) * 2005-02-07 2006-08-10 Rozas Guillermo J Method and system for validating a computer system
US20060179308A1 (en) * 2005-02-07 2006-08-10 Andrew Morgan System and method for providing a secure boot architecture
EP1768408A1 (en) * 2005-07-29 2007-03-28 STMicroelectronics Ltd. Integrated circuit, method and system restricting use of decryption keys using encrypted digital signatures
US20070083275A1 (en) * 2003-01-28 2007-04-12 Fisher-Rosemount Systems, Inc. Method for intercontroller communications in A safety instrumented system or a process control system
WO2012016857A1 (en) * 2010-08-03 2012-02-09 Siemens Aktiengesellschaft Method and system for transmitting control data in a manner that is secured against manipulation
US20150067350A1 (en) * 2012-04-17 2015-03-05 Beckhoff Automation Gmbh Field-bus data transmission
US10990662B2 (en) * 2017-12-13 2021-04-27 Endress+Hauser Conducta Gmbh+Co. Kg Method and system for operating an extension on a measuring transducer of process automation technology
US11424865B2 (en) 2020-12-10 2022-08-23 Fisher-Rosemount Systems, Inc. Variable-level integrity checks for communications in process control environments

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10216330B4 (en) 2002-04-13 2007-01-25 Endress + Hauser Conducta Gesellschaft für Mess- und Regeltechnik mbH + Co. KG Measuring equipment for process technology with central power supply
DE102004001755A1 (en) * 2004-01-12 2005-08-11 Endress + Hauser Conducta Gesellschaft für Mess- und Regeltechnik mbH + Co. KG Method for encrypting data in a network of process automation technology
US8676357B2 (en) * 2005-12-20 2014-03-18 Fieldbus Foundation System and method for implementing an extended safety instrumented system
US8074278B2 (en) * 2007-09-14 2011-12-06 Fisher-Rosemount Systems, Inc. Apparatus and methods for intrusion protection in safety instrumented process control systems
GB201413836D0 (en) * 2014-08-05 2014-09-17 Arm Ip Ltd Device security apparatus and methods
GB2540965B (en) 2015-07-31 2019-01-30 Arm Ip Ltd Secure configuration data storage
GB2540961B (en) 2015-07-31 2019-09-18 Arm Ip Ltd Controlling configuration data storage

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US107345A (en) * 1870-09-13 Improvement in sleds
US5511122A (en) * 1994-06-03 1996-04-23 The United States Of America As Represented By The Secretary Of The Navy Intermediate network authentication
US6078909A (en) * 1997-11-19 2000-06-20 International Business Machines Corporation Method and apparatus for licensing computer programs using a DSA signature
US6119228A (en) * 1997-08-22 2000-09-12 Compaq Computer Corporation Method for securely communicating remote control commands in a computer network
US6198824B1 (en) * 1997-02-12 2001-03-06 Verizon Laboratories Inc. System for providing secure remote command execution network
US20010056516A1 (en) * 2000-06-23 2001-12-27 Lothar Schollenberger Fieldbus connecting system for actuators or sensors
US20020010874A1 (en) * 1999-01-26 2002-01-24 Siemens Aktiengesellschaft System, device and method for determining the reliability of data carriers in a failsafe system network
US20020184157A1 (en) * 2001-03-29 2002-12-05 Francotyp-Postalia Ag & Co. Kg Method and apparatus for registering a usage value of commodity
US6591123B2 (en) * 2000-08-31 2003-07-08 Mallinckrodt Inc. Oximeter sensor with digital memory recording sensor data
US6708049B1 (en) * 1999-09-28 2004-03-16 Nellcor Puritan Bennett Incorporated Sensor with signature of data relating to sensor
US7048687B1 (en) * 1999-04-14 2006-05-23 Ob Scientific, Inc. Limited use medical probe

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5420883A (en) 1993-05-17 1995-05-30 Hughes Aircraft Company Train location and control using spread spectrum radio communications
US6332193B1 (en) 1999-01-18 2001-12-18 Sensar, Inc. Method and apparatus for securely transmitting and authenticating biometric data over a network
AU7861700A (en) 1999-10-06 2001-05-10 Sensoria Corporation Method for collecting data using compact internetworked wireless integrated network sensors (wins)
EP1107079A2 (en) 1999-11-30 2001-06-13 Siemens Aktiengesellschaft Apparatus, method and system for communicating critical information
US20040107345A1 (en) 2002-10-21 2004-06-03 Brandt David D. System and methodology providing automation security protocols and intrusion detection in an industrial controller environment

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US107345A (en) * 1870-09-13 Improvement in sleds
US5511122A (en) * 1994-06-03 1996-04-23 The United States Of America As Represented By The Secretary Of The Navy Intermediate network authentication
US6198824B1 (en) * 1997-02-12 2001-03-06 Verizon Laboratories Inc. System for providing secure remote command execution network
US6119228A (en) * 1997-08-22 2000-09-12 Compaq Computer Corporation Method for securely communicating remote control commands in a computer network
US6078909A (en) * 1997-11-19 2000-06-20 International Business Machines Corporation Method and apparatus for licensing computer programs using a DSA signature
US20020010874A1 (en) * 1999-01-26 2002-01-24 Siemens Aktiengesellschaft System, device and method for determining the reliability of data carriers in a failsafe system network
US7048687B1 (en) * 1999-04-14 2006-05-23 Ob Scientific, Inc. Limited use medical probe
US6708049B1 (en) * 1999-09-28 2004-03-16 Nellcor Puritan Bennett Incorporated Sensor with signature of data relating to sensor
US20010056516A1 (en) * 2000-06-23 2001-12-27 Lothar Schollenberger Fieldbus connecting system for actuators or sensors
US6591123B2 (en) * 2000-08-31 2003-07-08 Mallinckrodt Inc. Oximeter sensor with digital memory recording sensor data
US20020184157A1 (en) * 2001-03-29 2002-12-05 Francotyp-Postalia Ag & Co. Kg Method and apparatus for registering a usage value of commodity

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7289861B2 (en) * 2003-01-28 2007-10-30 Fisher-Rosemount Systems, Inc. Process control system with an embedded safety system
US7865251B2 (en) 2003-01-28 2011-01-04 Fisher-Rosemount Systems, Inc. Method for intercontroller communications in a safety instrumented system or a process control system
US20040158713A1 (en) * 2003-01-28 2004-08-12 Tom Aneweer Process control system with an embedded safety system
US20070083275A1 (en) * 2003-01-28 2007-04-12 Fisher-Rosemount Systems, Inc. Method for intercontroller communications in A safety instrumented system or a process control system
US20040193888A1 (en) * 2003-03-31 2004-09-30 Wiseman Willard M. Platform information for digital signatures
US7624272B2 (en) * 2003-03-31 2009-11-24 Intel Corporation Platform information for digital signatures
US7793347B2 (en) * 2005-02-07 2010-09-07 Rozas Guillermo J Method and system for validating a computer system
US20060179308A1 (en) * 2005-02-07 2006-08-10 Andrew Morgan System and method for providing a secure boot architecture
US20060179483A1 (en) * 2005-02-07 2006-08-10 Rozas Guillermo J Method and system for validating a computer system
US20070180464A1 (en) * 2005-07-29 2007-08-02 Stmicroelectronics Limited Method and system for restricting use of data in a circuit
EP1768408A1 (en) * 2005-07-29 2007-03-28 STMicroelectronics Ltd. Integrated circuit, method and system restricting use of decryption keys using encrypted digital signatures
US7698718B2 (en) 2005-07-29 2010-04-13 Stmicroelectronics Limited Method and system for restricting use of data in a circuit
CN103053131A (en) * 2010-08-03 2013-04-17 西门子公司 Method and system for transmitting control data in manner that is secured against manipulation
WO2012016857A1 (en) * 2010-08-03 2012-02-09 Siemens Aktiengesellschaft Method and system for transmitting control data in a manner that is secured against manipulation
US9252956B2 (en) 2010-08-03 2016-02-02 Siemens Aktiengesellschaft Method and system for transmitting control data in a manner that is secured against manipulation
CN106100856A (en) * 2010-08-03 2016-11-09 西门子公司 Method and system for manipulation protected generation transmitting control data
US20150067350A1 (en) * 2012-04-17 2015-03-05 Beckhoff Automation Gmbh Field-bus data transmission
US10438002B2 (en) * 2012-04-17 2019-10-08 Beckhoff Automation Gmbh Field-bus data transmission
US10990662B2 (en) * 2017-12-13 2021-04-27 Endress+Hauser Conducta Gmbh+Co. Kg Method and system for operating an extension on a measuring transducer of process automation technology
US11424865B2 (en) 2020-12-10 2022-08-23 Fisher-Rosemount Systems, Inc. Variable-level integrity checks for communications in process control environments

Also Published As

Publication number Publication date
EP1479007A4 (en) 2010-09-22
EP1479007A1 (en) 2004-11-24
US7590848B2 (en) 2009-09-15
AU2003209056A1 (en) 2003-09-02
EP1479007B1 (en) 2018-01-10
WO2003067452A1 (en) 2003-08-14

Similar Documents

Publication Publication Date Title
US7590848B2 (en) System and method for authentication and fail-safe transmission of safety messages
US20210135881A1 (en) Industrial control system redundant communications/control modules authentication
US9252956B2 (en) Method and system for transmitting control data in a manner that is secured against manipulation
US10051059B2 (en) Methods and apparatus to control communications of endpoints in an industrial enterprise system based on integrity
CA2875518C (en) Industrial control system redundant communications/control modules authentication
EP2680485B1 (en) Key information generation device and key information generation method
RU2459369C2 (en) Method and device for real-time message transfer
RU2690887C2 (en) Modular safety control device
US10728037B2 (en) Method for authenticating a field device of automation technology
JP2022120015A (en) Image capture device for secure industrial control system
US10862675B2 (en) Method for exchanging messages between security-relevant devices
US10204228B2 (en) Device and method for safely operating the device
EP2680148B1 (en) Information processing system, output control device, and data generating device
WO2022110688A1 (en) Field bus-based data transmission method and system, and field bus-based identity verification method and system
US10438002B2 (en) Field-bus data transmission
US9021588B2 (en) Method for processing messages in a communication network comprising a plurality of network nodes
US20210336783A1 (en) Method for checking the authenticity of electronic modules of a modular field device in automation technology
Hajarnavis et al. Realizing Greater System Robustness Through Combining CIP Safety™ and CIP Security™
EP1944942A1 (en) Method for checking the running configuration of a network equipment and network equipment
JP2004362203A (en) Transmission device between devices

Legal Events

Date Code Title Description
AS Assignment

Owner name: INVENSYS SOFTWARE SYSTEMS, MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:POWERS, LESLIE;REEL/FRAME:014211/0725

Effective date: 20030314

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: INVENSYS SYSTEMS, INC., MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:POWERS, LESLIE V.;REEL/FRAME:023472/0118

Effective date: 20091103

CC Certificate of correction
FPAY Fee payment

Year of fee payment: 4

FPAY Fee payment

Year of fee payment: 8

AS Assignment

Owner name: SCHNEIDER ELECTRIC SYSTEMS USA, INC., MASSACHUSETT

Free format text: CHANGE OF NAME;ASSIGNOR:INVENSYS SYSTEMS, INC.;REEL/FRAME:043379/0925

Effective date: 20170101

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12